Upgrade dex to v2.31.1, chart version 0.8.2

Remove the build of dex and dex-helm, use the upstream chart from https://github.com/dexidp. Defer to the upstream image for dex v2.31.1. Remove the "fluxcd" moniker of the application tarball; drop the armada version, keep the fluxcd version. Update the k8sapp plugin and fluxcd manifest values for dex helm chart changes. Update the tests for change of replicaCount parameter (was 'replicas' in the old dex). The default static overrides (fluxcd) and system overrides (k8sapp) maintain the existing use cases provided in Starlingx documentation: https://docs.starlingx.io/security/kubernetes/configure-oidc-auth-applications.html Test cases: PASS: CentOS build PASS: Debian build PASS: Inspect content of fluxcd application tarball (CentOS and Debian) PASS: Application upload/apply/remove/delete PASS: Authentication and Authorization: oidc-auth PASS: Authentication and Authorization: web/curl and kubectl PASS: Cert-manager use case PASS: User provided certs use case ('signed by an external CA'), minimal user overrides PASS: Poke Dex and OIDC client web interfaces PASS: IPv4 PASS: IPv6 PASS: rendering of extraStaticClients Story: 2009838 Task: 44437 Story: 2009138 Task: 44661 Depends-On: https://review.opendev.org/c/starlingx/config/+/842420 Change-Id: I68d5d0d33062adf3b35a9815b2926e4b8d36d662 Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
2022-04-29 09:35:14 -04:00 · 2022-04-29 09:35:14 -04:00 · aa87dc23b3
commit aa87dc23b3
parent 216116b766
47 changed files with 225 additions and 1236 deletions
--- a/centos_iso_image.inc
+++ b/centos_iso_image.inc
@ -1,3 +1,2 @@
 stx-oidc-auth-helm
-stx-oidc-auth-helm-fluxcd
 oidcauthtools
--- a/1
+++ b/1
@ -1,4 +1,3 @@
-dex-helm
 stx-oidc-auth-helm
 oidc-auth-tools
 python-k8sapp-oidc
--- a/centos_tarball-dl.lst
+++ b/centos_tarball-dl.lst
@ -0,0 +1 @@
+dex-0.8.2.tgz#dex#https://github.com/dexidp/helm-charts/releases/download/dex-0.8.2/dex-0.8.2.tgz#https##
--- a/1
+++ b/1
@ -1,4 +1,3 @@
-dex-helm
 stx-oidc-auth-helm
 oidc-auth-tools
 python-k8sapp-oidc
--- a/dex-helm/centos/build_srpm.data
+++ b/dex-helm/centos/build_srpm.data
@ -1,7 +0,0 @@
-TAR_NAME=helm-charts
-SHA=92b6289ae93816717a8453cfe62bad51cbdb8ad0
-VERSION=1.0.0
-TAR="$TAR_NAME-$SHA.tar.gz"
-
-COPY_LIST="${CGCS_BASE}/downloads/$TAR $PKG_BASE/files/* "
-TIS_PATCH_VER=PKG_GITREVCOUNT
--- a/dex-helm/centos/dex-helm.spec
+++ b/dex-helm/centos/dex-helm.spec
@ -1,72 +0,0 @@
-# Application tunables (maps to metadata)
-%global app_name oidc-auth-apps
-%global helm_repo stx-platform
-
-# Install location
-%global app_folder /usr/local/share/applications/helm
-
-# Build variables
-%global helm_folder /usr/lib/helm
-
-%global sha 92b6289ae93816717a8453cfe62bad51cbdb8ad0
-
-Summary: StarlingX OIDC auth Helm charts
-Name: dex-helm
-Version: 1.0
-Release: %{tis_patch_ver}%{?_tis_dist}
-License: Apache-2.0
-Group: base
-Packager: Wind River <info@windriver.com>
-URL: unknown
-
-Source0: helm-charts-%{sha}.tar.gz
-Source1: repositories.yaml
-Source2: index.yaml
-Source3: Makefile
-
-Patch01: 0001-Update-Dex-chart-for-Kubernetes-API-1.16.patch
-Patch02: 0002-add-image-pull-secrets.patch
-Patch03: 0003-Add-affinity-support.patch
-Patch04: 0004-Automatically-roll-deployments.patch
-Patch05: 0005-Update-Dex-chart-for-Helm-v3.patch
-Patch06: 0006-Create-new-config-value-extraStaticClients.patch
-Patch07: 0007-Add-tolerance-in-dex-helm-chart.patch
-Patch08: 0008-fix-deployment-nodePorts-for-helmv3.patch
-
-BuildArch: noarch
-
-BuildRequires: helm
-
-%description
-StarlingX OIDC auth Helm charts
-
-%prep
-#%setup
-%setup -n helm-charts
-%patch01 -p1
-%patch02 -p1
-%patch03 -p1
-%patch04 -p1
-%patch05 -p1
-%patch06 -p1
-%patch07 -p1
-%patch08 -p1
-
-%build
-# This chart does not require chartmuseum server since
-# it has no dependency on local or stable repos.
-# Make the charts. These produce a tgz file
-cp %{SOURCE3} stable
-which make
-cd stable
-make dex
-cd -
-
-%install
-install -d -m 755 ${RPM_BUILD_ROOT}%{helm_folder}
-install -p -D -m 755 stable/*.tgz ${RPM_BUILD_ROOT}%{helm_folder}
-
-
-%files
-%defattr(-,root,root,-)
-%{helm_folder}/*
--- a/dex-helm/debian/deb_folder/changelog
+++ b/dex-helm/debian/deb_folder/changelog
@ -1,5 +0,0 @@
-dex-helm (1.0-1) unstable; urgency=medium
-
-  * Initial release.
-
- --  Tracey Bogue <tracey.bogue@windriver.com>  Wed, 3 Nov 2021 08:42:42 +0000
--- a/dex-helm/debian/deb_folder/control
+++ b/dex-helm/debian/deb_folder/control
@ -1,15 +0,0 @@
-Source: dex-helm
-Section: libs
-Priority: optional
-Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
-Build-Depends: debhelper-compat (= 13),
- helm
-Standards-Version: 4.5.1
-Homepage: https://www.starlingx.io
-
-Package: dex-helm
-Section: libs
-Architecture: any
-Depends: ${misc:Depends}
-Description: StarlingX Dex Helm Charts
- This package contains Dex helm charts for the OIDC auth application.
--- a/dex-helm/debian/deb_folder/copyright
+++ b/dex-helm/debian/deb_folder/copyright
@ -1,41 +0,0 @@
-Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: dex-helm
-Source: https://opendev.org/starlingx/oidc-auth-armada-app/
-
-Files: *
-Copyright: (c) 2013-2021 Wind River Systems, Inc
-License: Apache-2
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
- .
-    https://www.apache.org/licenses/LICENSE-2.0
- .
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- .
- On Debian-based systems the full text of the Apache version 2.0 license
- can be found in `/usr/share/common-licenses/Apache-2.0'.
-
-# If you want to use GPL v2 or later for the /debian/* files use
-# the following clauses, or change it to suit. Delete these two lines
-Files: debian/*
-Copyright: 2021 Wind River Systems, Inc
-License: Apache-2
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
- .
-    https://www.apache.org/licenses/LICENSE-2.0
- .
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- .
- On Debian-based systems the full text of the Apache version 2.0 license
- can be found in `/usr/share/common-licenses/Apache-2.0'.
--- a/dex-helm/debian/deb_folder/dex-helm.install
+++ b/dex-helm/debian/deb_folder/dex-helm.install
@ -1 +0,0 @@
-usr/lib/helm/*
--- a/dex-helm/debian/deb_folder/patches/0001-Update-Dex-chart-for-Kubernetes-API-1.16.patch
+++ b/dex-helm/debian/deb_folder/patches/0001-Update-Dex-chart-for-Kubernetes-API-1.16.patch
@ -1,25 +0,0 @@
-From aa367b5e0a1012560b4b573a5d101307bd3dbd1a Mon Sep 17 00:00:00 2001
-From: Jerry Sun <jerry.sun@windriver.com>
-Date: Mon, 4 Nov 2019 15:23:08 -0500
-Subject: [PATCH 1/1] Update Dex chart for Kubernetes API 1.16
-
---
- stable/dex/templates/deployment.yaml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/stable/dex/templates/deployment.yaml b/stable/dex/templates/deployment.yaml
-index a088188..e46b748 100644
--- a/stable/dex/templates/deployment.yaml
-+++ b/stable/dex/templates/deployment.yaml
-@@ -6,7 +6,7 @@
- {{ $grpcCaBuiltName := printf "%s-ca" $fullname }}
- {{ $grpcCaSecretName := default $grpcCaBuiltName .Values.certs.grpc.secret.caName }}
- 
-apiVersion: apps/v1beta2
-+apiVersion: apps/v1
- kind: Deployment
- metadata:
-   name: {{ template "dex.fullname" . }}
-- 
-2.7.4
-
--- a/dex-helm/debian/deb_folder/patches/0002-add-image-pull-secrets.patch
+++ b/dex-helm/debian/deb_folder/patches/0002-add-image-pull-secrets.patch
@ -1,53 +0,0 @@
-From 99cdaab485e18af1d8bba5f24f7612de96f87039 Mon Sep 17 00:00:00 2001
-From: Jerry Sun <jerry.sun@windriver.com>
-Date: Mon, 16 Dec 2019 13:58:37 -0500
-Subject: [PATCH 1/1] add image pull secrets to images
-
---
- stable/dex/templates/deployment.yaml     | 2 ++
- stable/dex/templates/job-grpc-certs.yaml | 2 ++
- stable/dex/templates/job-web-certs.yaml  | 2 ++
- 3 files changed, 6 insertions(+)
-
-diff --git a/stable/dex/templates/deployment.yaml b/stable/dex/templates/deployment.yaml
-index a088188..40f1935 100644
--- a/stable/dex/templates/deployment.yaml
-+++ b/stable/dex/templates/deployment.yaml
-@@ -35,6 +35,8 @@ spec:
-       serviceAccountName: {{ template "dex.serviceAccountName" . }}
-       nodeSelector:
- {{ toYaml .Values.nodeSelector | indent 10 }}
-+      imagePullSecrets:
-+      - name: default-registry-key
-       containers:
-       - name: main
-         image: "{{ .Values.image }}:{{ .Values.imageTag }}"
-diff --git a/stable/dex/templates/job-grpc-certs.yaml b/stable/dex/templates/job-grpc-certs.yaml
-index 95e23a7..90514d8 100644
--- a/stable/dex/templates/job-grpc-certs.yaml
-+++ b/stable/dex/templates/job-grpc-certs.yaml
-@@ -33,6 +33,8 @@ spec:
-     spec:
-       serviceAccountName: {{ template "dex.serviceAccountName" . }}
-       restartPolicy: OnFailure
-+      imagePullSecrets:
-+      - name: default-registry-key
-       containers:
-       - name: main
-         image: "{{ .Values.certs.image }}:{{ .Values.certs.imageTag }}"
-diff --git a/stable/dex/templates/job-web-certs.yaml b/stable/dex/templates/job-web-certs.yaml
-index c2e56af..7c0c1f3 100644
--- a/stable/dex/templates/job-web-certs.yaml
-+++ b/stable/dex/templates/job-web-certs.yaml
-@@ -30,6 +30,8 @@ spec:
-     spec:
-       serviceAccountName: {{ template "dex.serviceAccountName" . }}
-       restartPolicy: OnFailure
-+      imagePullSecrets:
-+      - name: default-registry-key
-       containers:
-       - name: main
-         image: "{{ .Values.certs.image }}:{{ .Values.certs.imageTag }}"
-- 
-2.7.4
-
--- a/dex-helm/debian/deb_folder/patches/0003-Add-affinity-support.patch
+++ b/dex-helm/debian/deb_folder/patches/0003-Add-affinity-support.patch
@ -1,42 +0,0 @@
-From c2e4a94d6638aa160b23fbf2a0171f3c60b88634 Mon Sep 17 00:00:00 2001
-From: Teresa Ho <teresa.ho@windriver.com>
-Date: Tue, 17 Mar 2020 20:35:26 -0400
-Subject: [PATCH 1/1] Add affinity support
-
-Signed-off-by: Teresa Ho <teresa.ho@windriver.com>
---
- stable/dex/templates/deployment.yaml | 4 ++++
- stable/dex/values.yaml               | 2 ++
- 2 files changed, 6 insertions(+)
-
-diff --git a/stable/dex/templates/deployment.yaml b/stable/dex/templates/deployment.yaml
-index a088188..800fb90 100644
--- a/stable/dex/templates/deployment.yaml
-+++ b/stable/dex/templates/deployment.yaml
-@@ -61,6 +61,10 @@ spec:
- {{- if ne (len .Values.extraVolumeMounts) 0 }}
- {{ toYaml .Values.extraVolumeMounts | indent 8 }}
- {{- end }}
-+{{- with .Values.affinity }}
-+      affinity:
-+{{ toYaml . | indent 8 }}
-+    {{- end }}
-       volumes:
-       - secret:
-           defaultMode: 420
-diff --git a/stable/dex/values.yaml b/stable/dex/values.yaml
-index 01b25b6..6753e8c 100644
--- a/stable/dex/values.yaml
-+++ b/stable/dex/values.yaml
-@@ -89,6 +89,8 @@ serviceAccount:
-   # If not set and create is true, a name is generated using the fullname template
-   name:
- 
-+affinity: {}
-+
- config:
-   issuer: http://dex.io:8080
-   storage:
-- 
-1.8.3.1
-
--- a/dex-helm/debian/deb_folder/patches/0004-Automatically-roll-deployments.patch
+++ b/dex-helm/debian/deb_folder/patches/0004-Automatically-roll-deployments.patch
@ -1,33 +0,0 @@
-From 7b1b709abdb995ee5a6f3c56000c01a7eec96fff Mon Sep 17 00:00:00 2001
-From: Jerry Sun <jerry.sun@windriver.com>
-Date: Wed, 13 May 2020 11:00:20 -0400
-Subject: [PATCH 1/1] Automatically roll deployments
-
-Automatically roll deployments when config is changed.
-Otherwise, the new config is pushed but the behavior
-is not. We cannot do the exact thing upstream did
-because of an armada bug. We are doing what monitor
-does when it runs into the same issue.
-Reference upstream commit:
-https://github.com/helm/charts/commit/af19146e72a1eae813e7bc6ce21b0aea9cea4341
-
-Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
---
- stable/dex/templates/deployment.yaml | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/stable/dex/templates/deployment.yaml b/stable/dex/templates/deployment.yaml
-index 5e714e9..1df25b4 100644
--- a/stable/dex/templates/deployment.yaml
-+++ b/stable/dex/templates/deployment.yaml
-@@ -31,6 +31,8 @@ spec:
-       labels:
-         app: {{ template "dex.name" . }}
-         release: "{{ .Release.Name }}"
-+      annotations:
-+        configchecksum: {{ toYaml .Values.config | sha256sum | trunc 63 }}
-     spec:
-       serviceAccountName: {{ template "dex.serviceAccountName" . }}
-       nodeSelector:
-- 
-2.7.4
--- a/dex-helm/debian/deb_folder/patches/0005-Update-Dex-chart-for-Helm-v3.patch
+++ b/dex-helm/debian/deb_folder/patches/0005-Update-Dex-chart-for-Helm-v3.patch
@ -1,21 +0,0 @@
-From f81bba1fa22a1762d5c077f04835f593273fc4e3 Mon Sep 17 00:00:00 2001
-From: Jim Gauld <james.gauld@windriver.com>
-Date: Fri, 20 Mar 2020 19:23:49 -0400
-Subject: [PATCH] Update Dex chart for Helm v3
-
---
- stable/dex/Chart.yaml | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/stable/dex/Chart.yaml b/stable/dex/Chart.yaml
-index 1ca2f7b..794579b 100644
--- a/stable/dex/Chart.yaml
-+++ b/stable/dex/Chart.yaml
-@@ -1,3 +1,4 @@
-+apiVersion: v1
- name: dex
- version: 0.8.0
- appVersion: 2.14.0
-- 
-1.8.3.1
-
--- a/dex-helm/debian/deb_folder/patches/0006-Create-new-config-value-extraStaticClients.patch
+++ b/dex-helm/debian/deb_folder/patches/0006-Create-new-config-value-extraStaticClients.patch
@ -1,94 +0,0 @@
-From 032c7e194811f37824a796d4c6293563bc8d9424 Mon Sep 17 00:00:00 2001
-From: Kristine Bujold <kristine.bujold@windriver.com>
-Date: Tue, 9 Feb 2021 08:37:42 -0600
-Subject: [PATCH] Create new config value extraStaticClients
-
-Create a new config value called extraStaticClients. This new value if
-present will be added to staticClients. This will allow a user to add
-new static clients without overriding the current staticClients config
-which is a array.  Helm does not currently merge arrays.
-
-Jira: CGTS-20205
-Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>
---
- stable/dex/templates/secret.yaml | 46 ++++++++++++++++++++++++++++++--
- stable/dex/values.yaml           |  9 +++++++
- 2 files changed, 53 insertions(+), 2 deletions(-)
-
-diff --git a/stable/dex/templates/secret.yaml b/stable/dex/templates/secret.yaml
-index c5f03ff..a32b145 100644
--- a/stable/dex/templates/secret.yaml
-+++ b/stable/dex/templates/secret.yaml
-@@ -7,5 +7,47 @@ metadata:
-     heritage: "{{ .Release.Service }}"
-     release: "{{ .Release.Name }}"
-   name: {{ template "dex.fullname" . }}
-data:
-  config.yaml: {{ toYaml .Values.config | b64enc }}
-+stringData:
-+  config.yaml: |-
-+    {{- with .Values.config }}
-+    issuer: {{ .issuer }}
-+    storage:
-+{{ toYaml .storage | indent 6 }}
-+    logger:
-+{{ toYaml .logger | indent 6 }}
-+    web:
-+{{ toYaml .web | indent 6 }}
-+    {{- if $.Values.grpc }}
-+    grpc:
-+{{ toYaml .grpc | indent 6 }}
-+    {{- end }}
-+    {{- if .connectors }}
-+    connectors:
-+{{ toYaml .connectors | indent 4 }}
-+    {{- end }}
-+    oauth2:
-+    {{ toYaml .oauth2 | indent 2 }}
-+    staticClients:
-+{{ toYaml .staticClients |  trimSuffix "\n" | indent 4 }}
-+    {{- if .extraStaticClients }}
-+{{- range $key, $val := .extraStaticClients }}
-+    - id: {{ $key }}
-+      name: {{ $val.name }}
-+      secret: {{ $val.secret }}
-+      redirectURIs:
-+    {{- range $uris := $val.redirectURIs }}
-+      - {{ $uris }}
-+    {{- end }}
-+{{- end -}}
-+    {{- end }}
-+
-+    enablePasswordDB: {{ .enablePasswordDB }}
-+    {{- if .staticPasswords }}
-+    staticPasswords:
-+{{ toYaml .staticPasswords | indent 4 }}
-+    {{- end }}
-+    {{- if .expiry }}
-+    expiry:
-+{{ toYaml .expiry | indent 6 }}
-+    {{- end }}
-+    {{- end }}
-diff --git a/stable/dex/values.yaml b/stable/dex/values.yaml
-index 6753e8c..347cc06 100644
--- a/stable/dex/values.yaml
-+++ b/stable/dex/values.yaml
-@@ -127,6 +127,15 @@ config:
- #    name: 'Example App'
- #    secret: ZXhhbXBsZS1hcHAtc2VjcmV0
- #
-+
-+#  extraStaticClients:
-+#    example-app:
-+#      redirectURIs:
-+#      - 'http://192.168.42.219:31850/oauth2/callback'
-+#      name: 'Example App'
-+#      secret: ZXhhbXBsZS1hcHAtc2VjcmV0
-+#
-+
-   enablePasswordDB: true
- # staticPasswords:
- #  - email: "admin@example.com"
-- 
-2.22.0
-
--- a/dex-helm/debian/deb_folder/patches/0007-Add-tolerance-in-dex-helm-chart.patch
+++ b/dex-helm/debian/deb_folder/patches/0007-Add-tolerance-in-dex-helm-chart.patch
@ -1,41 +0,0 @@
-From f33823d48746c138631f23962984c1500604f99f Mon Sep 17 00:00:00 2001
-From: Joao Victor Portal <Joao.VictorPortal@windriver.com>
-Date: Tue, 28 Sep 2021 14:50:12 -0300
-Subject: [PATCH] Patch7: 0007-Add-tolerance-in-dex-helm-chart.patch
-
---
- stable/dex/templates/deployment.yaml | 4 ++++
- stable/dex/values.yaml               | 2 ++
- 2 files changed, 6 insertions(+)
-
-diff --git a/stable/dex/templates/deployment.yaml b/stable/dex/templates/deployment.yaml
-index 1df25b4..975a7ea 100644
--- a/stable/dex/templates/deployment.yaml
-+++ b/stable/dex/templates/deployment.yaml
-@@ -65,6 +65,10 @@ spec:
- {{- if ne (len .Values.extraVolumeMounts) 0 }}
- {{ toYaml .Values.extraVolumeMounts | indent 8 }}
- {{- end }}
-+{{- with .Values.tolerations }}
-+      tolerations:
-+{{ toYaml . | indent 8 }}
-+    {{- end }}
- {{- with .Values.affinity }}
-       affinity:
- {{ toYaml . | indent 8 }}
-diff --git a/stable/dex/values.yaml b/stable/dex/values.yaml
-index 347cc06..8047582 100644
--- a/stable/dex/values.yaml
-+++ b/stable/dex/values.yaml
-@@ -89,6 +89,8 @@ serviceAccount:
-   # If not set and create is true, a name is generated using the fullname template
-   name:
- 
-+tolerations: []
-+
- affinity: {}
- 
- config:
-- 
-2.17.1
-
--- a/dex-helm/debian/deb_folder/patches/series
+++ b/dex-helm/debian/deb_folder/patches/series
@ -1,7 +0,0 @@
-0001-Update-Dex-chart-for-Kubernetes-API-1.16.patch
-0002-add-image-pull-secrets.patch
-0003-Add-affinity-support.patch
-0004-Automatically-roll-deployments.patch
-0005-Update-Dex-chart-for-Helm-v3.patch
-0006-Create-new-config-value-extraStaticClients.patch
-0007-Add-tolerance-in-dex-helm-chart.patch
--- a/dex-helm/debian/deb_folder/rules
+++ b/dex-helm/debian/deb_folder/rules
@ -1,20 +0,0 @@
-#!/usr/bin/make -f
-# export DH_VERBOSE = 1
-
-export ROOT = debian/tmp
-export HELM_FOLDER = $(ROOT)/usr/lib/helm
-
-%:
-	dh $@
-
-override_dh_auto_build:
-	# Create the chart TGZ files.
-	cp Makefile stable
-	cd stable && make dex
-
-override_dh_auto_install:
-	# Install the app tar file.
-	install -d -m 755 $(HELM_FOLDER)
-	install -p -D -m 755 stable/*.tgz $(HELM_FOLDER)
-
-override_dh_auto_test:
--- a/dex-helm/debian/deb_folder/source/format
+++ b/dex-helm/debian/deb_folder/source/format
@ -1 +0,0 @@
-3.0 (quilt)
--- a/dex-helm/debian/meta_data.yaml
+++ b/dex-helm/debian/meta_data.yaml
@ -1,15 +0,0 @@
---
-debname: dex-helm
-debver: 1.0-1
-dl_path:
-  name: helm-charts-92b6289ae93816717a8453cfe62bad51cbdb8ad0.tar.gz
-  url: https://github.com/helm/charts/archive/92b6289ae93816717a8453cfe62bad51cbdb8ad0.tar.gz
-  md5sum: d32b2ad945a10441d8e1b014bddd8cb8
-src_files:
-  - files/index.yaml
-  - files/Makefile
-  - files/repositories.yaml
-  - files/metadata.yaml
-revision:
-  dist: $STX_DIST
-  PKG_GITREVCOUNT: true
--- a/dex-helm/files/0001-Update-Dex-chart-for-Kubernetes-API-1.16.patch
+++ b/dex-helm/files/0001-Update-Dex-chart-for-Kubernetes-API-1.16.patch
@ -1,25 +0,0 @@
-From aa367b5e0a1012560b4b573a5d101307bd3dbd1a Mon Sep 17 00:00:00 2001
-From: Jerry Sun <jerry.sun@windriver.com>
-Date: Mon, 4 Nov 2019 15:23:08 -0500
-Subject: [PATCH 1/1] Update Dex chart for Kubernetes API 1.16
-
---
- stable/dex/templates/deployment.yaml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/stable/dex/templates/deployment.yaml b/stable/dex/templates/deployment.yaml
-index a088188..e46b748 100644
--- a/stable/dex/templates/deployment.yaml
-+++ b/stable/dex/templates/deployment.yaml
-@@ -6,7 +6,7 @@
- {{ $grpcCaBuiltName := printf "%s-ca" $fullname }}
- {{ $grpcCaSecretName := default $grpcCaBuiltName .Values.certs.grpc.secret.caName }}
- 
-apiVersion: apps/v1beta2
-+apiVersion: apps/v1
- kind: Deployment
- metadata:
-   name: {{ template "dex.fullname" . }}
-- 
-2.7.4
-
--- a/dex-helm/files/0002-add-image-pull-secrets.patch
+++ b/dex-helm/files/0002-add-image-pull-secrets.patch
@ -1,53 +0,0 @@
-From 99cdaab485e18af1d8bba5f24f7612de96f87039 Mon Sep 17 00:00:00 2001
-From: Jerry Sun <jerry.sun@windriver.com>
-Date: Mon, 16 Dec 2019 13:58:37 -0500
-Subject: [PATCH 1/1] add image pull secrets to images
-
---
- stable/dex/templates/deployment.yaml     | 2 ++
- stable/dex/templates/job-grpc-certs.yaml | 2 ++
- stable/dex/templates/job-web-certs.yaml  | 2 ++
- 3 files changed, 6 insertions(+)
-
-diff --git a/stable/dex/templates/deployment.yaml b/stable/dex/templates/deployment.yaml
-index a088188..40f1935 100644
--- a/stable/dex/templates/deployment.yaml
-+++ b/stable/dex/templates/deployment.yaml
-@@ -35,6 +35,8 @@ spec:
-       serviceAccountName: {{ template "dex.serviceAccountName" . }}
-       nodeSelector:
- {{ toYaml .Values.nodeSelector | indent 10 }}
-+      imagePullSecrets:
-+      - name: default-registry-key
-       containers:
-       - name: main
-         image: "{{ .Values.image }}:{{ .Values.imageTag }}"
-diff --git a/stable/dex/templates/job-grpc-certs.yaml b/stable/dex/templates/job-grpc-certs.yaml
-index 95e23a7..90514d8 100644
--- a/stable/dex/templates/job-grpc-certs.yaml
-+++ b/stable/dex/templates/job-grpc-certs.yaml
-@@ -33,6 +33,8 @@ spec:
-     spec:
-       serviceAccountName: {{ template "dex.serviceAccountName" . }}
-       restartPolicy: OnFailure
-+      imagePullSecrets:
-+      - name: default-registry-key
-       containers:
-       - name: main
-         image: "{{ .Values.certs.image }}:{{ .Values.certs.imageTag }}"
-diff --git a/stable/dex/templates/job-web-certs.yaml b/stable/dex/templates/job-web-certs.yaml
-index c2e56af..7c0c1f3 100644
--- a/stable/dex/templates/job-web-certs.yaml
-+++ b/stable/dex/templates/job-web-certs.yaml
-@@ -30,6 +30,8 @@ spec:
-     spec:
-       serviceAccountName: {{ template "dex.serviceAccountName" . }}
-       restartPolicy: OnFailure
-+      imagePullSecrets:
-+      - name: default-registry-key
-       containers:
-       - name: main
-         image: "{{ .Values.certs.image }}:{{ .Values.certs.imageTag }}"
-- 
-2.7.4
-
--- a/dex-helm/files/0003-Add-affinity-support.patch
+++ b/dex-helm/files/0003-Add-affinity-support.patch
@ -1,42 +0,0 @@
-From c2e4a94d6638aa160b23fbf2a0171f3c60b88634 Mon Sep 17 00:00:00 2001
-From: Teresa Ho <teresa.ho@windriver.com>
-Date: Tue, 17 Mar 2020 20:35:26 -0400
-Subject: [PATCH 1/1] Add affinity support
-
-Signed-off-by: Teresa Ho <teresa.ho@windriver.com>
---
- stable/dex/templates/deployment.yaml | 4 ++++
- stable/dex/values.yaml               | 2 ++
- 2 files changed, 6 insertions(+)
-
-diff --git a/stable/dex/templates/deployment.yaml b/stable/dex/templates/deployment.yaml
-index a088188..800fb90 100644
--- a/stable/dex/templates/deployment.yaml
-+++ b/stable/dex/templates/deployment.yaml
-@@ -61,6 +61,10 @@ spec:
- {{- if ne (len .Values.extraVolumeMounts) 0 }}
- {{ toYaml .Values.extraVolumeMounts | indent 8 }}
- {{- end }}
-+{{- with .Values.affinity }}
-+      affinity:
-+{{ toYaml . | indent 8 }}
-+    {{- end }}
-       volumes:
-       - secret:
-           defaultMode: 420
-diff --git a/stable/dex/values.yaml b/stable/dex/values.yaml
-index 01b25b6..6753e8c 100644
--- a/stable/dex/values.yaml
-+++ b/stable/dex/values.yaml
-@@ -89,6 +89,8 @@ serviceAccount:
-   # If not set and create is true, a name is generated using the fullname template
-   name:
- 
-+affinity: {}
-+
- config:
-   issuer: http://dex.io:8080
-   storage:
-- 
-1.8.3.1
-
--- a/dex-helm/files/0004-Automatically-roll-deployments.patch
+++ b/dex-helm/files/0004-Automatically-roll-deployments.patch
@ -1,33 +0,0 @@
-From 7b1b709abdb995ee5a6f3c56000c01a7eec96fff Mon Sep 17 00:00:00 2001
-From: Jerry Sun <jerry.sun@windriver.com>
-Date: Wed, 13 May 2020 11:00:20 -0400
-Subject: [PATCH 1/1] Automatically roll deployments
-
-Automatically roll deployments when config is changed.
-Otherwise, the new config is pushed but the behavior
-is not. We cannot do the exact thing upstream did
-because of an armada bug. We are doing what monitor
-does when it runs into the same issue.
-Reference upstream commit:
-https://github.com/helm/charts/commit/af19146e72a1eae813e7bc6ce21b0aea9cea4341
-
-Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
---
- stable/dex/templates/deployment.yaml | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/stable/dex/templates/deployment.yaml b/stable/dex/templates/deployment.yaml
-index 5e714e9..1df25b4 100644
--- a/stable/dex/templates/deployment.yaml
-+++ b/stable/dex/templates/deployment.yaml
-@@ -31,6 +31,8 @@ spec:
-       labels:
-         app: {{ template "dex.name" . }}
-         release: "{{ .Release.Name }}"
-+      annotations:
-+        configchecksum: {{ toYaml .Values.config | sha256sum | trunc 63 }}
-     spec:
-       serviceAccountName: {{ template "dex.serviceAccountName" . }}
-       nodeSelector:
-- 
-2.7.4
--- a/dex-helm/files/0005-Update-Dex-chart-for-Helm-v3.patch
+++ b/dex-helm/files/0005-Update-Dex-chart-for-Helm-v3.patch
@ -1,21 +0,0 @@
-From f81bba1fa22a1762d5c077f04835f593273fc4e3 Mon Sep 17 00:00:00 2001
-From: Jim Gauld <james.gauld@windriver.com>
-Date: Fri, 20 Mar 2020 19:23:49 -0400
-Subject: [PATCH] Update Dex chart for Helm v3
-
---
- stable/dex/Chart.yaml | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/stable/dex/Chart.yaml b/stable/dex/Chart.yaml
-index 1ca2f7b..794579b 100644
--- a/stable/dex/Chart.yaml
-+++ b/stable/dex/Chart.yaml
-@@ -1,3 +1,4 @@
-+apiVersion: v1
- name: dex
- version: 0.8.0
- appVersion: 2.14.0
-- 
-1.8.3.1
-
--- a/dex-helm/files/0006-Create-new-config-value-extraStaticClients.patch
+++ b/dex-helm/files/0006-Create-new-config-value-extraStaticClients.patch
@ -1,94 +0,0 @@
-From 032c7e194811f37824a796d4c6293563bc8d9424 Mon Sep 17 00:00:00 2001
-From: Kristine Bujold <kristine.bujold@windriver.com>
-Date: Tue, 9 Feb 2021 08:37:42 -0600
-Subject: [PATCH] Create new config value extraStaticClients
-
-Create a new config value called extraStaticClients. This new value if
-present will be added to staticClients. This will allow a user to add
-new static clients without overriding the current staticClients config
-which is a array.  Helm does not currently merge arrays.
-
-Jira: CGTS-20205
-Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>
---
- stable/dex/templates/secret.yaml | 46 ++++++++++++++++++++++++++++++--
- stable/dex/values.yaml           |  9 +++++++
- 2 files changed, 53 insertions(+), 2 deletions(-)
-
-diff --git a/stable/dex/templates/secret.yaml b/stable/dex/templates/secret.yaml
-index c5f03ff..a32b145 100644
--- a/stable/dex/templates/secret.yaml
-+++ b/stable/dex/templates/secret.yaml
-@@ -7,5 +7,47 @@ metadata:
-     heritage: "{{ .Release.Service }}"
-     release: "{{ .Release.Name }}"
-   name: {{ template "dex.fullname" . }}
-data:
-  config.yaml: {{ toYaml .Values.config | b64enc }}
-+stringData:
-+  config.yaml: |-
-+    {{- with .Values.config }}
-+    issuer: {{ .issuer }}
-+    storage:
-+{{ toYaml .storage | indent 6 }}
-+    logger:
-+{{ toYaml .logger | indent 6 }}
-+    web:
-+{{ toYaml .web | indent 6 }}
-+    {{- if $.Values.grpc }}
-+    grpc:
-+{{ toYaml .grpc | indent 6 }}
-+    {{- end }}
-+    {{- if .connectors }}
-+    connectors:
-+{{ toYaml .connectors | indent 4 }}
-+    {{- end }}
-+    oauth2:
-+    {{ toYaml .oauth2 | indent 2 }}
-+    staticClients:
-+{{ toYaml .staticClients |  trimSuffix "\n" | indent 4 }}
-+    {{- if .extraStaticClients }}
-+{{- range $key, $val := .extraStaticClients }}
-+    - id: {{ $key }}
-+      name: {{ $val.name }}
-+      secret: {{ $val.secret }}
-+      redirectURIs:
-+    {{- range $uris := $val.redirectURIs }}
-+      - {{ $uris }}
-+    {{- end }}
-+{{- end -}}
-+    {{- end }}
-+
-+    enablePasswordDB: {{ .enablePasswordDB }}
-+    {{- if .staticPasswords }}
-+    staticPasswords:
-+{{ toYaml .staticPasswords | indent 4 }}
-+    {{- end }}
-+    {{- if .expiry }}
-+    expiry:
-+{{ toYaml .expiry | indent 6 }}
-+    {{- end }}
-+    {{- end }}
-diff --git a/stable/dex/values.yaml b/stable/dex/values.yaml
-index 6753e8c..347cc06 100644
--- a/stable/dex/values.yaml
-+++ b/stable/dex/values.yaml
-@@ -127,6 +127,15 @@ config:
- #    name: 'Example App'
- #    secret: ZXhhbXBsZS1hcHAtc2VjcmV0
- #
-+
-+#  extraStaticClients:
-+#    example-app:
-+#      redirectURIs:
-+#      - 'http://192.168.42.219:31850/oauth2/callback'
-+#      name: 'Example App'
-+#      secret: ZXhhbXBsZS1hcHAtc2VjcmV0
-+#
-+
-   enablePasswordDB: true
- # staticPasswords:
- #  - email: "admin@example.com"
-- 
-2.22.0
-
--- a/dex-helm/files/0007-Add-tolerance-in-dex-helm-chart.patch
+++ b/dex-helm/files/0007-Add-tolerance-in-dex-helm-chart.patch
@ -1,41 +0,0 @@
-From f33823d48746c138631f23962984c1500604f99f Mon Sep 17 00:00:00 2001
-From: Joao Victor Portal <Joao.VictorPortal@windriver.com>
-Date: Tue, 28 Sep 2021 14:50:12 -0300
-Subject: [PATCH] Patch7: 0007-Add-tolerance-in-dex-helm-chart.patch
-
---
- stable/dex/templates/deployment.yaml | 4 ++++
- stable/dex/values.yaml               | 2 ++
- 2 files changed, 6 insertions(+)
-
-diff --git a/stable/dex/templates/deployment.yaml b/stable/dex/templates/deployment.yaml
-index 1df25b4..975a7ea 100644
--- a/stable/dex/templates/deployment.yaml
-+++ b/stable/dex/templates/deployment.yaml
-@@ -65,6 +65,10 @@ spec:
- {{- if ne (len .Values.extraVolumeMounts) 0 }}
- {{ toYaml .Values.extraVolumeMounts | indent 8 }}
- {{- end }}
-+{{- with .Values.tolerations }}
-+      tolerations:
-+{{ toYaml . | indent 8 }}
-+    {{- end }}
- {{- with .Values.affinity }}
-       affinity:
- {{ toYaml . | indent 8 }}
-diff --git a/stable/dex/values.yaml b/stable/dex/values.yaml
-index 347cc06..8047582 100644
--- a/stable/dex/values.yaml
-+++ b/stable/dex/values.yaml
-@@ -89,6 +89,8 @@ serviceAccount:
-   # If not set and create is true, a name is generated using the fullname template
-   name:
- 
-+tolerations: []
-+
- affinity: {}
- 
- config:
-- 
-2.17.1
-
--- a/dex-helm/files/0008-fix-deployment-nodePorts-for-helmv3.patch
+++ b/dex-helm/files/0008-fix-deployment-nodePorts-for-helmv3.patch
@ -1,50 +0,0 @@
-From f611d30a61220a933266f390646ea04c5c97966b Mon Sep 17 00:00:00 2001
-From: Michel Thebeau <Michel.Thebeau@windriver.com>
-Date: Mon, 14 Mar 2022 13:50:15 -0400
-Subject: [PATCH] fix deployment nodePorts for helmv3
-
-Helmv3 reports "Deployment.spec.template.spec.containers[0].ports[0]):
-unknown field "nodePort" in io.k8s.api.core.v1.ContainerPort"
-
-Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
---
- stable/dex/templates/deployment.yaml | 6 ++++++
- stable/dex/values.yaml               | 7 +++++++
- 2 files changed, 13 insertions(+)
-
-diff --git a/stable/dex/templates/deployment.yaml b/stable/dex/templates/deployment.yaml
-index 975a7ea..8edddcf 100644
--- a/stable/dex/templates/deployment.yaml
-+++ b/stable/dex/templates/deployment.yaml
-@@ -50,7 +50,13 @@ spec:
-         resources:
- {{ toYaml .Values.resources | indent 10 }}
-         ports:
-+{{- if eq false $.Values.helmv3Compatible }}
- {{ toYaml .Values.ports | indent 10 }}
-+{{- else }}
-+          - name: http
-+            containerPort: {{ .Values.nodePort }}
-+            protocol: TCP
-+{{- end }}
-         env:
- {{ toYaml .Values.env | indent 10 }}
-         volumeMounts:
-diff --git a/stable/dex/values.yaml b/stable/dex/values.yaml
-index 8047582..9586a97 100644
--- a/stable/dex/values.yaml
-+++ b/stable/dex/values.yaml
-@@ -145,3 +145,10 @@ config:
- #    hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- #    username: "admin"
- #    userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
-+
-+# Set as true to fix compatibility issues with Helmv3
-+helmv3Compatible: false
-+
-+# Also for helmv3 compatibility, should be the same as
-+# .Values.ports.[index of name='http'].nodePort
-+nodePort: 32080
-- 
-2.29.2
-
--- a/dex-helm/files/Makefile
+++ b/dex-helm/files/Makefile
@ -1,43 +0,0 @@
-#
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Copyright (c) 2019 Wind River Systems, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-# It's necessary to set this because some environments don't link sh -> bash.
-SHELL := /bin/bash
-TASK  := build
-
-EXCLUDES := helm-toolkit doc tests tools logs tmp
-CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
-
-.PHONY: $(EXCLUDES) $(CHARTS)
-
-all: $(CHARTS)
-
-$(CHARTS):
-	@if [ -d $@ ]; then \
-		echo; \
-		echo "===== Processing [$@] chart ====="; \
-		make $(TASK)-$@; \
-	fi
-
-init-%:
-	if [ -f $*/Makefile ]; then make -C $*; fi
-	if [ -f $*/requirements.yaml ]; then helm dep up $*; fi
-
-lint-%: init-%
-	if [ -d $* ]; then helm lint $*; fi
-
-build-%: lint-%
-	if [ -d $* ]; then helm package $*; fi
-
-clean:
-	@echo "Clean all build artifacts"
-	rm -f */templates/_partials.tpl */templates/_globals.tpl
-	rm -f *tgz */charts/*tgz */requirements.lock
-	rm -rf */charts */tmpcharts
-
-%:
-	@:
--- a/dex-helm/files/index.yaml
+++ b/dex-helm/files/index.yaml
@ -1,3 +0,0 @@
-apiVersion: v1
-entries: {}
-generated: 2019-01-07T12:33:46.098166523-06:00
--- a/dex-helm/files/metadata.yaml
+++ b/dex-helm/files/metadata.yaml
@ -1,3 +0,0 @@
-app_name: @APP_NAME@
-app_version: @APP_VERSION@
-helm_repo: @HELM_REPO@
--- a/dex-helm/files/repositories.yaml
+++ b/dex-helm/files/repositories.yaml
@ -1,12 +0,0 @@
-apiVersion: v1
-generated: 2019-01-02T15:19:36.215111369-06:00
-repositories:
- caFile: ""
-  cache: /builddir/.helm/repository/cache/local-index.yaml
-  certFile: ""
-  keyFile: ""
-  name: local
-  password: ""
-  url: http://127.0.0.1:8879/charts
-  username: ""
-
--- a/dex/centos/dex.stable_docker_image
+++ b/dex/centos/dex.stable_docker_image
@ -1,5 +0,0 @@
-BUILDER=docker
-LABEL=dex
-DOCKER_REPO=https://github.com/dexidp/dex.git
-DOCKER_REF=f1581ff873a200cf9dd01bf261e056267d57b991 # SHA for v2.14.0, as of Jan 21, 2020
-DOCKER_PATCHES="docker_patches/0001-Wrap-Kubernetes-host-address-in-square-brackets.patch"
--- a/dex/centos/docker_patches/0001-Wrap-Kubernetes-host-address-in-square-brackets.patch
+++ b/dex/centos/docker_patches/0001-Wrap-Kubernetes-host-address-in-square-brackets.patch
@ -1,36 +0,0 @@
-From a084a721f2485e4eba81fe50e52fd3f3932024fa Mon Sep 17 00:00:00 2001
-From: Jerry Sun <jerry.sun@windriver.com>
-Date: Fri, 24 Jan 2020 09:13:40 -0500
-Subject: [PATCH 1/1] Wrap Kubernetes host address in square brackets
-
-When constructing the host address string, the address is
-not wrapped in square brackets. This does not work in IPv6
-Kubernetes deployments. This commit adds square brackets
-around the address. IPv4 was also tested to ensure it works
-with wrapped address.
-
-Story: 2006711
-Task: 38610
-
-Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
---
- storage/kubernetes/client.go | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/storage/kubernetes/client.go b/storage/kubernetes/client.go
-index cb7fd28..f16bc77 100644
--- a/storage/kubernetes/client.go
-+++ b/storage/kubernetes/client.go
-@@ -419,6 +419,9 @@ func inClusterConfig() (cluster k8sapi.Cluster, user k8sapi.AuthInfo, namespace
- 		err = fmt.Errorf("unable to load in-cluster configuration, KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT must be defined")
- 		return
- 	}
-+	// we need to wrap IPv6 addresses in square brackets
-+	// IPv4 also works with square brackets
-+        host = "[" + host + "]"
- 	cluster = k8sapi.Cluster{
- 		Server:               "https://" + host + ":" + port,
- 		CertificateAuthority: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
-- 
-2.7.4
-
--- a/python-k8sapp-oidc/k8sapp_oidc/k8sapp_oidc/helm/dex.py
+++ b/python-k8sapp-oidc/k8sapp_oidc/k8sapp_oidc/helm/dex.py
@ -16,8 +16,6 @@ class Dex(DexBaseHelm):

    CHART = app_constants.HELM_CHART_DEX

-    SERVICE_NAME = 'dex'
-
    def get_namespaces(self):
        return self.SUPPORTED_NAMESPACES

@ -39,14 +37,19 @@ class Dex(DexBaseHelm):

    def get_overrides(self, namespace=None):

-        ports = []
-        dex_port = {
-            'name': 'http',
-            'containerPort': 5556,
-            'protocol': 'TCP',
-            'nodePort': self.DEX_NODE_PORT,
+        env = {
+            'name': 'KUBERNETES_POD_NAMESPACE',
+            'value': common.HELM_NS_KUBE_SYSTEM
+        }
+
+        service = {
+            'type': 'NodePort',
+            'ports': {
+                'https': {
+                    'nodePort': self.DEX_NODE_PORT
+                }
+            }
        }
-        ports.append(dex_port)

        overrides = {
            common.HELM_NS_KUBE_SYSTEM: {
@ -55,9 +58,9 @@ class Dex(DexBaseHelm):
                                                     self.DEX_NODE_PORT),
                    'staticClients': self._get_static_clients(),
                },
-                'ports': ports,
-                'replicas': self._num_replicas_for_platform_app(),
-                'nodePort': self.DEX_NODE_PORT,
+                'replicaCount': self._num_replicas_for_platform_app(),
+                'env': env,
+                'service': service
            }
        }

--- a/python-k8sapp-oidc/k8sapp_oidc/k8sapp_oidc/tests/test_dex.py
+++ b/python-k8sapp-oidc/k8sapp_oidc/k8sapp_oidc/tests/test_dex.py
@ -50,7 +50,7 @@ class DexIPv4ControllerHostTestCase(DexTestCase,

        self.assertOverridesParameters(overrides, {
            # 1 replica for 1 controller
-            'replicas': 1
+            'replicaCount': 1
        })


@ -65,5 +65,5 @@ class DexIPv6AIODuplexSystemTestCase(DexTestCase,

        self.assertOverridesParameters(overrides, {
            # 2 replicas for 2 controllers
-            'replicas': 2
+            'replicaCount': 2
        })
--- a/python-k8sapp-oidc/k8sapp_oidc/k8sapp_oidc/tests/test_oidc_client.py
+++ b/python-k8sapp-oidc/k8sapp_oidc/k8sapp_oidc/tests/test_oidc_client.py
@ -50,7 +50,7 @@ class OidcClientIPv4ControllerHostTestCase(OidcClientTestCase,

        self.assertOverridesParameters(overrides, {
            # Only one replica for a single controller
-            'replicas': 1
+            'replicaCount': 1
        })


@ -69,5 +69,5 @@ class OidcClientIPv4AIODuplexSystemTestCase(OidcClientTestCase,

        self.assertOverridesParameters(overrides, {
            # Expect two replicas because there are two controllers
-            'replicas': 2
+            'replicaCount': 2
        })
--- a/stx-oidc-auth-helm/centos/build_srpm.data
+++ b/stx-oidc-auth-helm/centos/build_srpm.data
@ -8,5 +8,6 @@ TIS_PATCH_VER=GITREVCOUNT
 COPY_LIST="$PKG_BASE/$SRC_DIR/files/*"

 COPY_LIST_TO_TAR="\
+    $STX_BASE/downloads/dex-0.8.2.tgz
    $STX_BASE/helm-charts/secret-observer/secret-observer/helm-charts \
 "
--- a/stx-oidc-auth-helm/centos/stx-oidc-auth-helm.spec
+++ b/stx-oidc-auth-helm/centos/stx-oidc-auth-helm.spec
@ -8,7 +8,10 @@
 # Build variables
 %global helm_folder /usr/lib/helm

-Summary: StarlingX K8S application: OIDC authorization
+# the dex chart tar name
+%global dex_tar_name dex-0.8.2.tgz
+
+Summary: The StarlingX K8S application for OIDC authorization
 Name: stx-oidc-auth-helm
 Version: 1.0
 Release: %{tis_patch_ver}%{?_tis_dist}
@ -19,32 +22,22 @@ URL: unknown

 Source0: %{name}-%{version}.tar.gz

+# a patch for secret observer
 Patch01: 0001-move-metadata-release-for-helmv3.patch

-# secret-observer source from stx//helm-charts/secret-observer
+# secret-observer source from stx/helm-charts/secret-observer
 # plugin source from stx/oidc-auth-armada-app/python-k8sapp-oidc
-# dex-helm source from stx/oidc-auth-armada-app/dex-helm/ and:
-# stx/downloads/helm-charts-92b6289ae93816717a8453cfe62bad51cbdb8ad0.tar.gz
+# dex-helm source from stx/downloads/dex-0.8.2.tgz

 BuildArch: noarch

 BuildRequires: helm
-BuildRequires: dex-helm
 BuildRequires: python-k8sapp-oidc
 BuildRequires: python-k8sapp-oidc-wheels
-Requires: dex-helm

 %description
 The StarlingX K8S application for OIDC authorization

-%package fluxcd
-Summary: The StarlingX K8S Fluxcd application for OIDC authorization
-Group: base
-License: Apache-2.0
-
-%description fluxcd
-The StarlingX K8S Fluxcd application for OIDC authorization
-
 %prep
 %setup

@ -62,20 +55,29 @@ make secret-observer
 # switch back to source root
 cd -

+# patch the dex chart
+tar xf %{dex_tar_name}
+rm %{dex_tar_name}
+patch -p1 < files/0001-Create-new-config-value-extraStaticClients.patch
+find dex -type f -print0 | xargs -0 tar zcf %{dex_tar_name}
+rm -r dex
+
 # Create a chart tarball compliant with sysinv kube-app.py
 %define app_staging %{_builddir}/staging
-%define app_tarball_armada %{app_name}-%{version}-%{tis_patch_ver}.tgz
-%define app_tarball_fluxcd %{app_name}-fluxcd-%{version}-%{tis_patch_ver}.tgz
-%define armada_app_path %{_builddir}/%{app_tarball_armada}
-%define fluxcd_app_path %{_builddir}/%{app_tarball_fluxcd}
+%define app_tarball %{app_name}-%{version}-%{tis_patch_ver}.tgz
+%define app_path %{_builddir}/%{app_tarball}

 # Setup staging
 mkdir -p %{app_staging}
 cp files/metadata.yaml %{app_staging}
-cp manifests/manifest.yaml %{app_staging}
 mkdir -p %{app_staging}/charts
 cp helm-charts/*.tgz %{app_staging}/charts
-cp %{helm_folder}/dex*.tgz %{app_staging}/charts
+cp dex*.tgz %{app_staging}/charts
+cp -R fluxcd-manifests %{app_staging}/
+
+# Copy the plugins: installed in the buildroot
+mkdir -p %{app_staging}/plugins
+cp /plugins/%{app_name}/*.whl %{app_staging}/plugins

 cd %{app_staging}

@ -84,28 +86,10 @@ sed -i 's/@APP_NAME@/%{app_name}/g' %{app_staging}/metadata.yaml
 sed -i 's/@APP_VERSION@/%{version}-%{tis_patch_ver}/g' %{app_staging}/metadata.yaml
 sed -i 's/@HELM_REPO@/%{helm_repo}/g' %{app_staging}/metadata.yaml

-# Copy the plugins: installed in the buildroot
-mkdir -p %{app_staging}/plugins
-cp /plugins/%{app_name}/*.whl %{app_staging}/plugins
-
 # calculate checksum of all files in app_staging
 find . -type f ! -name '*.md5' -print0 | xargs -0 md5sum > checksum.md5
-# package armada app
-tar -zcf %armada_app_path -C %{app_staging}/ .
-
-# switch back to source root
-cd -
-
-# Prepare app_staging for fluxcd package
-rm -f %{app_staging}/manifest.yaml
-
-cp -R fluxcd-manifests %{app_staging}/
-
-# calculate checksum of all files in app_staging
-cd %{app_staging}
-find . -type f ! -name '*.md5' -print0 | xargs -0 md5sum > checksum.md5
-# package fluxcd app
-tar -zcf %fluxcd_app_path -C %{app_staging}/ .
+# package the app
+tar -zcf %app_path -C %{app_staging}/ .

 # switch back to source root
 cd -
@ -115,13 +99,8 @@ rm -fr %{app_staging}

 %install
 install -d -m 755 %{buildroot}/%{app_folder}
-install -p -D -m 755 %armada_app_path %{buildroot}/%{app_folder}
-install -p -D -m 755 %fluxcd_app_path %{buildroot}/%{app_folder}
+install -p -D -m 755 %app_path %{buildroot}/%{app_folder}

 %files
 %defattr(-,root,root,-)
-%{app_folder}/%{app_tarball_armada}
-
-%files fluxcd
-%defattr(-,root,root,-)
-%{app_folder}/%{app_tarball_fluxcd}
+%{app_folder}/%{app_tarball}
--- a/stx-oidc-auth-helm/debian/deb_folder/control
+++ b/stx-oidc-auth-helm/debian/deb_folder/control
@ -3,7 +3,6 @@ Section: libs
 Priority: optional
 Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
 Build-Depends: debhelper-compat (= 13),
- dex-helm,
 helm,
 python3-k8sapp-oidc,
 python3-k8sapp-oidc-wheels
@ -13,7 +12,7 @@ Homepage: https://www.starlingx.io
 Package: stx-oidc-auth-helm
 Section: libs
 Architecture: any
-Depends: ${misc:Depends}, dex-helm
+Depends: ${misc:Depends}
 Description: StarlingX OIDC Authorization Helm Charts
- This package contains Armada helm charts for the OIDC authorization
+ This package contains helm charts for the OIDC authorization
 application.
--- a/stx-oidc-auth-helm/debian/deb_folder/rules
+++ b/stx-oidc-auth-helm/debian/deb_folder/rules
@ -14,21 +14,30 @@ export APP_TARBALL = $(APP_NAME)-$(APP_VERSION).tgz
 export HELM_FOLDER = /usr/lib/helm
 export HELM_REPO = stx-platform
 export STAGING = staging
+export DEX_TAR_NAME = dex-0.8.2.tgz

 %:
 	dh $@

 override_dh_auto_build:
+	# patch secret-observer
+	patch -p1 < files/0001-move-metadata-release-for-helmv3.patch
 	# Create the TGZ file.
 	cd helm-charts && make oidc-client
 	cd helm-charts && make secret-observer
+	# patch the dex chart
+	tar xf ${DEX_TAR_NAME}
+	rm ${DEX_TAR_NAME}
+	patch -p1 < files/0001-Create-new-config-value-extraStaticClients.patch
+	find dex -type f -print0 | xargs -0 tar zcf ${DEX_TAR_NAME}
+	rm -r dex
 	# Setup the staging directory.
 	mkdir -p $(STAGING)
 	cp files/metadata.yaml $(STAGING)
-	cp manifests/manifest.yaml $(STAGING)
 	mkdir -p $(STAGING)/charts
 	cp helm-charts/*.tgz $(STAGING)/charts
-	cp $(HELM_FOLDER)/dex*.tgz $(STAGING)/charts
+	cp dex*.tgz $(STAGING)/charts
+	cp -R fluxcd-manifests $(STAGING)
 	# Populate metadata.
 	sed -i 's/@APP_NAME@/$(APP_NAME)/g' $(STAGING)/metadata.yaml
 	sed -i 's/@APP_VERSION@/$(APP_VERSION)/g' $(STAGING)/metadata.yaml
--- a/stx-oidc-auth-helm/debian/meta_data.yaml
+++ b/stx-oidc-auth-helm/debian/meta_data.yaml
@ -4,6 +4,11 @@ debver: 1.0-1
 src_path: stx-oidc-auth-helm
 src_files:
  - ${MY_REPO}/stx/helm-charts/secret-observer/secret-observer/helm-charts
+dl_files:
+  dex-0.8.2.tgz:
+    topdir: null
+    url: https://github.com/dexidp/helm-charts/releases/download/dex-0.8.2/dex-0.8.2.tgz
+    md5sum: bfbe56a46cf23c68d27c6a018a565d95
 revision:
  dist: $STX_DIST
  PKG_GITREVCOUNT: true
--- a/stx-oidc-auth-helm/stx-oidc-auth-helm/files/0001-Create-new-config-value-extraStaticClients.patch
+++ b/stx-oidc-auth-helm/stx-oidc-auth-helm/files/0001-Create-new-config-value-extraStaticClients.patch
@ -0,0 +1,127 @@
+From 000cf954b437fc44e6d671a0b1319649459a1c90 Mon Sep 17 00:00:00 2001
+From: Michel Thebeau <Michel.Thebeau@windriver.com>
+Date: Tue, 10 May 2022 09:14:20 -0400
+Subject: [PATCH] Create new config value extraStaticClients
+
+Create a new config value called extraStaticClients. This new value if
+present will be added to staticClients. This will allow a user to add
+new static clients without overriding the current staticClients config
+which is a array.  Helm does not currently merge arrays.
+
+The original patch was authored by Kristine Bujold for dex version
+2.14.0, helm chart version 0.8.0 (https://github.com/helm/charts).  This
+version updates the set of config options, and assumes only the issuer
+is mandatory (refer to if statements).  The new dex version (2.31.1)
+would have passed the entire config dictionary as provided in
+values.yaml, whereas the old dex had composed the config dictionary from
+values.yaml.
+
+Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
+---
+ dex/templates/secret.yaml | 67 +++++++++++++++++++++++++++++++++++++--
+ dex/values.yaml           | 13 ++++++++
+ 2 files changed, 78 insertions(+), 2 deletions(-)
+
+diff --git a/dex/templates/secret.yaml b/dex/templates/secret.yaml
+index 27d3954..24f694a 100644
+--- a/dex/templates/secret.yaml
+++ b/dex/templates/secret.yaml
+@@ -6,6 +6,69 @@ metadata:
+   labels:
+     {{- include "dex.labels" . | nindent 4 }}
+ type: Opaque
+-data:
+-  config.yaml: {{ .Values.config | toYaml | b64enc | quote }}
+stringData:
+  config.yaml: |-
+    {{- with .Values.config }}
+    issuer: {{ .issuer }}
+    {{- if .storage }}
+    storage:
+{{ toYaml .storage | indent 6 }}
+    {{- end }}
+    {{- if .logger }}
+    logger:
+{{ toYaml .logger | indent 6 }}
+    {{- end }}
+    {{- if .web }}
+    web:
+{{ toYaml .web | indent 6 }}
+    {{- end }}
+    {{- if .grpc }}
+    grpc:
+{{ toYaml .grpc | indent 6 }}
+    {{- end }}
+    {{- if .connectors }}
+    connectors:
+{{ toYaml .connectors | indent 4 }}
+    {{- end }}
+    {{- if .oauth2 }}
+    oauth2:
+{{ toYaml .oauth2 | indent 6 }}
+    {{- end }}
+    {{- if or .staticClients .extraStaticClients }}
+    staticClients:
+    {{- if .staticClients }}
+{{ toYaml .staticClients |  trimSuffix "\n" | indent 4 }}
+    {{- end }}
+    {{- if .extraStaticClients }}
+{{- range $key, $val := .extraStaticClients }}
+    - id: {{ $key }}
+      name: {{ $val.name }}
+      secret: {{ $val.secret }}
+      redirectURIs:
+    {{- range $uris := $val.redirectURIs }}
+      - {{ $uris }}
+    {{- end }}
+{{- end -}}
+    {{- end }}
+    {{- end }}
+    {{- if .enablePasswordDB }}
+    enablePasswordDB: {{ .enablePasswordDB }}
+    {{- end }}
+    {{- if .staticPasswords }}
+    staticPasswords:
+{{ toYaml .staticPasswords | indent 4 }}
+    {{- end }}
+    {{- if .expiry }}
+    expiry:
+{{ toYaml .expiry | indent 6 }}
+    {{- end }}
+    {{- if .frontend }}
+    frontend:
+{{ toYaml .frontend | indent 6 }}
+    {{- end }}
+    {{- if .telemetry }}
+    telemetry:
+{{ toYaml .telemetry | indent 6 }}
+    {{- end }}
+    {{- end }}
+ {{- end }}
+diff --git a/dex/values.yaml b/dex/values.yaml
+index f879cdf..e55d479 100644
+--- a/dex/values.yaml
+++ b/dex/values.yaml
+@@ -51,6 +51,19 @@ configSecret:
+ # See the [official documentation](https://dexidp.io/docs/).
+ config: {}
+ 
+# Addendum for config:
+# -- extraStaticClients
+# if config.extraStaticClients is present it will be added to
+# config.staticClients.  This option allows a second procedure to add
+# clients without overriding an existing user override.
+
+#   extraStaticClients:
+#     example-app:
+#       redirectURIs:
+#       - 'http://192.168.42.219:31850/oauth2/callback'
+#       name: 'Example App'
+#       secret: ZXhhbXBsZS1hcHAtc2VjcmV0
+
+ # -- Additional storage [volumes](https://kubernetes.io/docs/concepts/storage/volumes/).
+ # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details.
+ volumes: []
+-- 
+2.25.1
+
--- a/stx-oidc-auth-helm/stx-oidc-auth-helm/fluxcd-manifests/dex/dex-static-overrides.yaml
+++ b/stx-oidc-auth-helm/stx-oidc-auth-helm/fluxcd-manifests/dex/dex-static-overrides.yaml
@ -4,35 +4,47 @@
 # SPDX-License-Identifier: Apache-2.0
 #

-image: docker.io/starlingx/dex
-imageTag: stx.4.0-v2.14.0-1
+image:
+  repository: ghcr.io/dexidp/dex
+  pullPolicy: IfNotPresent
+  tag: v2.31.1
+imagePullSecrets:
+  - name: default-registry-key
 env:
-  - name: KUBERNETES_POD_NAMESPACE
-    valueFrom:
-      fieldRef:
-        fieldPath: metadata.namespace
+  name: KUBERNETES_POD_NAMESPACE
+  value: kube-system
 config:
  enablePasswordDB: false
  web:
-    https: 0.0.0.0:5556
-    tlsCert: /etc/dex/tls/https/server/tls.crt
-    tlsKey: /etc/dex/tls/https/server/tls.key
+    tlsCert: /etc/dex/tls/tls.crt
+    tlsKey: /etc/dex/tls/tls.key
+  storage:
+    type: kubernetes
+    config:
+      inCluster: true
+  oauth2:
+    skipApprovalScreen: true
+  logger:
+    level: debug
 service:
  type: NodePort
+  ports:
+    https:
+      nodePort: 30556
+https:
+  enabled: true
+grpc:
+  enabled: false
 nodeSelector:
  node-role.kubernetes.io/master: ""
-certs:
-  web:
-    create: false
+volumeMounts:
+  - mountPath: /etc/dex/tls/
+    name: https-tls
+volumes:
+  - name: https-tls
    secret:
-      tlsName: local-dex.tls
-      caName: local-dex.tls
-  grpc:
-    create: false
-    secret:
-      serverTlsName: local-dex.tls
-      clientTlsName: local-dex.tls
-      caName: local-dex.tls
+      defaultMode: 420
+      secretName: local-dex.tls
 tolerations:
 - key: "node-role.kubernetes.io/master"
  operator: "Exists"
@ -47,4 +59,3 @@ affinity:
          values:
          - dex
      topologyKey: kubernetes.io/hostname
-helmv3Compatible: true
--- a/stx-oidc-auth-helm/stx-oidc-auth-helm/fluxcd-manifests/dex/helmrelease.yaml
+++ b/stx-oidc-auth-helm/stx-oidc-auth-helm/fluxcd-manifests/dex/helmrelease.yaml
@ -15,7 +15,7 @@ spec:
  chart:
    spec:
      chart: dex
-      version: 0.8.0
+      version: 0.8.2
      sourceRef:
        kind: HelmRepository
        name: stx-platform
--- a/stx-oidc-auth-helm/stx-oidc-auth-helm/manifests/manifest.yaml
+++ b/stx-oidc-auth-helm/stx-oidc-auth-helm/manifests/manifest.yaml
@ -1,189 +0,0 @@
---
-schema: armada/Chart/v1
-metadata:
-  schema: metadata/Document/v1
-  name: kube-system-dex
-data:
-  chart_name: dex
-  release: dex
-  namespace: kube-system
-  wait:
-    timeout: 1800
-    labels:
-      app: dex
-  install:
-    no_hooks: false
-  upgrade:
-    no_hooks: false
-    pre:
-      delete:
-        - type: job
-          labels:
-            app: dex
-  values:
-    image: docker.io/starlingx/dex
-    imageTag: stx.4.0-v2.14.0-1
-    env:
-      - name: KUBERNETES_POD_NAMESPACE
-        valueFrom:
-          fieldRef:
-            fieldPath: metadata.namespace
-    config:
-      enablePasswordDB: false
-      web:
-        https: 0.0.0.0:5556
-        tlsCert: /etc/dex/tls/https/server/tls.crt
-        tlsKey: /etc/dex/tls/https/server/tls.key
-    service:
-      type: NodePort
-    nodeSelector:
-      node-role.kubernetes.io/master: ""
-    certs:
-      web:
-        create: false
-        secret:
-          tlsName: local-dex.tls
-          caName: local-dex.tls
-      grpc:
-        create: false
-        secret:
-          serverTlsName: local-dex.tls
-          clientTlsName: local-dex.tls
-          caName: local-dex.tls
-    tolerations:
-    - key: "node-role.kubernetes.io/master"
-      operator: "Exists"
-      effect: "NoSchedule"
-    affinity:
-      podAntiAffinity:
-        requiredDuringSchedulingIgnoredDuringExecution:
-        - labelSelector:
-            matchExpressions:
-            - key: app
-              operator: In
-              values:
-              - dex
-          topologyKey: kubernetes.io/hostname
-  source:
-    type: tar
-    location: http://172.17.0.1:8080/helm_charts/stx-platform/dex-0.8.0.tgz
-    subpath: dex
-    reference: master
-  dependencies: []
---
-schema: armada/Chart/v1
-metadata:
-  schema: metadata/Document/v1
-  name: kube-system-oidc-client
-data:
-  chart_name: oidc-client
-  release: oidc-client
-  namespace: kube-system
-  wait:
-    timeout: 1800
-    labels:
-      app: dex
-  install:
-    no_hooks: false
-  upgrade:
-    no_hooks: false
-    pre:
-      delete:
-        - type: job
-          labels:
-            app: oidc-client
-  values:
-    config:
-      issuer_root_ca: /home/dex-ca.pem
-      listen: https://0.0.0.0:5555
-      tlsCert: /etc/dex/tls/https/server/tls.crt
-      tlsKey: /etc/dex/tls/https/server/tls.key
-    nodeSelector:
-      node-role.kubernetes.io/master: ""
-    service:
-      type: NodePort
-      port: 5555
-    tolerations:
-    - key: "node-role.kubernetes.io/master"
-      operator: "Exists"
-      effect: "NoSchedule"
-    affinity:
-      podAntiAffinity:
-        requiredDuringSchedulingIgnoredDuringExecution:
-        - labelSelector:
-            matchExpressions:
-            - key: app
-              operator: In
-              values:
-              - stx-oidc-client
-          topologyKey: kubernetes.io/hostname
-  source:
-    type: tar
-    location: http://172.17.0.1:8080/helm_charts/stx-platform/oidc-client-0.1.0.tgz
-    subpath: oidc-client
-    reference: master
-  dependencies: []
---
-schema: armada/Chart/v1
-metadata:
-  schema: metadata/Document/v1
-  name: kube-system-secret-observer
-data:
-  chart_name: secret-observer
-  release: auth-secret-observer
-  namespace: kube-system
-  values:
-    namespace: "kube-system"
-    observedSecrets:
-      - secretName: "dex-client-secret"
-        filename: "dex-ca.pem"
-        deploymentToRestart: "stx-oidc-client"
-      - secretName: "local-dex.tls"
-        filename: "tls.crt"
-        deploymentToRestart: "stx-oidc-client"
-      - secretName: "local-dex.tls"
-        filename: "tls.crt"
-        deploymentToRestart: "oidc-dex"
-    tolerations:
-      - key: "node-role.kubernetes.io/master"
-        operator: "Exists"
-        effect: "NoSchedule"
-  source:
-    location: http://172.17.0.1:8080/helm_charts/stx-platform/secret-observer-0.1.0.tgz
-    subpath: secret-observer
-    type: tar
-    reference: master
-  upgrade:
-    no_hooks: false
-    pre:
-      delete:
-      - labels:
-          release_group: kube-system-secret-observer
-        type: job
-  wait:
-    labels:
-      release_group: kube-system-secret-observer
-    resources: []
-    timeout: 1800
-  dependencies: []
---
-schema: armada/ChartGroup/v1
-metadata:
-  schema: metadata/Document/v1
-  name: starlingx-dex-charts
-data:
-  description: StarlingX Dex Charts
-  sequenced: true
-  chart_group:
-  - kube-system-dex
-  - kube-system-oidc-client
-  - kube-system-secret-observer
---
-schema: armada/Manifest/v1
-metadata:
-  schema: metadata/Document/v1
-  name: oidc-auth-manifest
-data:
-  release_prefix: oidc
-  chart_groups:
-  - starlingx-dex-charts
				`@ -0,0 +1 @@`
				`dex-0.8.2.tgz#dex#https://github.com/dexidp/helm-charts/releases/download/dex-0.8.2/dex-0.8.2.tgz#https##`